Once executed, the worm downloads a file from the following location: [http://]www.sukien.org/tamdiep/Download/A9.[REMOVED]

The worm then saves the downloaded file as the following file: %Windir%\taskmng.exe The worm creates the following registry entry so that it runs every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Task Manager" = "%Windir%\taskmng.exe"

The worm then modifies the following registry entry to disable the manual modification of the Internet Explorer home page: HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"

The worm also modifies the following registry entries to disable the Task Manager and the Registry Editor: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"

The worm then modifies the following registry entry to change the Internet Explorer home Page: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "[http://]www.sukien.org"

The worm modifies the following registry entries to change the settings of Yahoo! Instant Messenger:

The worm modifies the following registry entry to change the title of the Internet Explorer: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" = "[http://]www.sukien.org/lo[REMOVED] :: Another Version of [http://]www.sukien.org/lo[REMOVED] :: Chut gi de nho..."

Next, the worm sends the following messages through Yahoo! Instant Messenger: